Who is a CISO, anyway?
How the role of a CISO has transformed since it was first introduced in 1985.
Cyber Security is a seemingly straightforward concept, yet once examined closely, there emerges a labyrinth of branches and twists, creating a demand for various skill sets – not only tech-related ones. Thus, the role of a CISO had to evolve from a nerdy techie to a savvy businessman – and my research with twelve IT experts has not only confirmed the assumption, but pointed at the fact that the extra-technological factors may soon take over as the main focus of the efforts to ensure corporate cyber welfare.
The most significant disagreement between members of the Steering Committee lied within the realm of legal affairs, and more specifically – the infamous GDPR. Namely, some felt saturated by the seemingly never-ending influx of information, while some were hungry for updates, case studies and different angles to it. Nonetheless, what caught my attention was the NIS directive, dearly named “the poor cousin of GDPR” by Christian Wernberg Tougaard from Deloitte. Overshadowed and underestimated, the NIS directive does appear to deserve the up-until-now absent attention, as it is a lot more innovative (at least legally speaking!) than the GDPR and non-compliance may have just as severe consequences for businesses.
Cyber Security is a magnetic topic – every year, it attracts more research, more funding, more self-proclaimed enthusiasts, but… the Nordic Region still suffers from lack of IT Security experts. What is more alarming, according to Kimmo Halunen, the Senior Scientist at VTT, is the fact that many companies have still not resolved this issue. Luckily, it is largely perceived as a challenge to find new solutions – be it through introduction of automation, opening entry-level positions, or, the top hit nowadays – outsourcing.
The idea of outsourcing of any type of service is not new, but Cyber Security is not your typical branch of IT – it requires much more attention to the commercial and legal, as opposed to purely technical aspects. How much can vs. how much should be outsourced? Finding the balance between the limits of Infosec Technology and profitability has proven nothing short of problematic. On the top of that, Cyber Security has stretched as far as ethics, as the modern CISOsopher must consider questions such as whether responsibility can be outsourced as a part of the service. Not having an answer ready to can be more devastating than it seems, as the Swedish Transport Agency experienced on its own skin in 2017.
It is therefore not a surprise that the role of a CISO has transformed significantly since it was first introduced in 1985. They must now be able to build up a business case for IT Security funding, demonstrate ROI and think outside the box, should the traditional methods fail. They are also the new corporate consumers, buying various security solutions, yet many lack the deep technical understanding of the product, resulting in decreased productivity and increased spending. However, are they to blame? In the era when solution providers are in tight competition, investing more in tech and much less in meaningful marketing, we are witnessing the situation where interests of both parties do not always overlap fully, as they should.
Buying more is rarely the best solution, as the more services are digitalised, the more end up being accessible to cyber intruders. As if the current level of complexity of many businesses’ IT infrastructure was not already enough to give any CISO a headache… Yet it is true: in terms of cyber attacks, the opposite of the old maxim is true: quantity beats quality. Forget the spectacular and sophisticated breaches – they happen once in a long while. The plague out there are the multiple and intense attempts to disrupt daily operations of a business, carried out by the not-so-clever-but-keen tricksters.
Effective Cyber Security can therefore only be achieved through collaborative work between various departments; and as the time goes on, these departments will only get more and more specialised and numerous, and good communication will become an ever more crucial aspect of ensuring success and safety. Therefore, a CISO of today is an individual of various trades and skills, but most importantly, one with his head in business and heart in security.
Find out more about NordX Summit taking place on 12th – 13th February 2019 in Copenhagen, Denmark.